id,summary,reporter,owner,description,type,status,component,version,severity,resolution,keywords,cc,stage,has_patch,needs_docs,needs_tests,needs_better_patch,easy,ui_ux 14612,Password reset page leaks user count,Paul McMillan,nobody,"`django.contrib.auth.views.password_reset_confirm()` leaks information related to the number of registered users in the system. To reproduce, enable admin, add a user, and import the urlconf from `contrib.auth.urls`. Visit the reset url with a request like this: {{{ http://localhost:8000/reset/1-2-3/ }}} Repeatedly increment the first value (starting at 1 in this example). When the value is equal to the pk of a valid user, the page returns a 200 with an explanation that your reset url was invalid. When you reach a user pk that has not yet been assigned, you get a 404. While the user count is not incredibly vital to security, most admins would prefer not to leak information in this fashion.",,closed,contrib.auth,1.2,,fixed,,,Accepted,0,0,0,0,0,0